41554c195bc8c87ddb8bbeacefe77c033f56549a03361dd76c2243546dd1f2d8

Resubmissions

02/11/2023, 21:08

231102-zy2f4shf43 10

02/11/2023, 19:29

231102-x7fjwsec8w 10

30/06/2023, 11:57

230630-n4mdlaae31 7

Analysis

max time kernel
27s
max time network
132s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30/06/2023, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payload.exe
Size

9.0MB
MD5

f6c5df8944a965d0d3aa2e124a1935af
SHA1

3ff36a13827d193a85eed40b59646bad1d676986
SHA256

41554c195bc8c87ddb8bbeacefe77c033f56549a03361dd76c2243546dd1f2d8
SHA512

8d75df03c33e9288b2d4b9e941c89ca2e0e7008e151ee3c104292427266043050f9966d0ff6e5c46890bde404337873768a4cde255778418144766646d08ceae
SSDEEP

196608:cTEcVnJULKrytYcJX7Nfjw9cI1qyz+6weSn5NeCX4X6:4EcVnukcJLtlIwqwemrePX6

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1968	2032	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2032	payload.exe
884	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 884	2032	payload.exe	29
PID 2032 wrote to memory of 884	2032	payload.exe	29
PID 2032 wrote to memory of 884	2032	payload.exe	29
PID 2032 wrote to memory of 1968	2032	payload.exe	31
PID 2032 wrote to memory of 1968	2032	payload.exe	31
PID 2032 wrote to memory of 1968	2032	payload.exe	31

C:\Users\Admin\AppData\Local\Temp\payload.exe
"C:\Users\Admin\AppData\Local\Temp\payload.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2032 -s 1072
  2⤵
  - Program crash
  PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab16FD.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar176D.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\XH7tUpYh2kxbjqN3WThMFZjhQAHE6s\sensfiles.zip

Filesize
3.8MB

MD5
f0711fdf3cee6cf430c6a055bc4a1e1a

SHA1
8dbce12710910254a5c40987e44a8e316458e82e

SHA256
7ec609187d3b0c3bdffee1e68ee7930c60bdff759d8ac2ad319fe56265e774cb

SHA512
fc6104208bf673abb191adf79df8aa0b21edc0b0f77fe4496047cad8b554a79678eabe3e7478c3840c5801d8e55e914480fdbafdab096840b4e422a74247cdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\microsoft_default_login_data

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\microsoft_default_webdata

Filesize
92KB

MD5
b011c92d97428236467251e665ec16ed

SHA1
251b2ebb6ec72aeea9d36bee25361edcb9d22fa1

SHA256
984b20dc9d89fc74a1cbf76102a7da6b23f44b6db1489171183fdb589cfbed1b

SHA512
840985e61db210322858bc06bd0e4fe37d653b79681695cb3315b49452758182dc4b1db659e04cf512436d6934d1e165f880fa4030c7cad93ca9e2350521e621

Download Submit
C:\Users\Admin\AppData\Local\Temp\microsoft_network_cookies

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
memory/884-102-0x0000000002A2B000-0x0000000002A62000-memory.dmp

Filesize
220KB

Download
memory/884-100-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/884-101-0x0000000002A24000-0x0000000002A27000-memory.dmp

Filesize
12KB

Download
memory/884-99-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/2032-55-0x00000000776F0000-0x00000000776F2000-memory.dmp

Filesize
8KB

Download
memory/2032-57-0x000000013F870000-0x0000000140907000-memory.dmp

Filesize
16.6MB

Download
memory/2032-56-0x00000000776F0000-0x00000000776F2000-memory.dmp

Filesize
8KB

Download
memory/2032-54-0x00000000776F0000-0x00000000776F2000-memory.dmp

Filesize
8KB

Download